> <span security=XXXX>
>
> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
> </span security=XXXX>
>
>
Ah but my point is before HTML is rendered the start and end markers should
be parsed first. CDATA doesn't matter.
> Perhaps a more compatible approach would be:
>
> <securityXXXX> // With secret token in tag name
> user_content_here
> </securityXXXX>
>
> ...but it's also unlikely to fly with purists.
>
I prefer this maybe with some extra characters that aren't likely to be
used:-
<__securityXXXX__> // With secret token in tag name
user_content_here
</__securityXXXX__>